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® Computer with virtual machine mode and multiple protection rings. 



® A computer system including a processor and 
memory, the procf»s.snr having a virtual modo of 
operation in which It uses a virtual machine monitor 
which allows it to service a plurality of users contem- 
poraneously in a multiplexed manner, and a non- 
virtual, or real, modo of operation. The computer 
system has a set of at least three operation mode 
protection rings representing a hierarchy of access 
privilege levels in both the real and virtual modes, 
with the number of privilege levels in both the real 
and virtual modes being the same. The privilege 
levels govern the accessibility of memory locations 
to programs and the executability of certain privi- 
leged instructions, which cause control to be trans- 



ferred to the virtual machine monitor when the pro- 
cesses is in a vlnuai mode. The two most privileged 
levels in the virtual mode are both treated as cor- 
responding to the second most privileged level in 
the real mode, whereby if the processor is in the 
most privileged virtual operating mode, access to 
memory locations is permitted only if the location is 
accessible to the second most privileged mode. 
When an instruction is retrieved, the processor firet 
performs a probe operation to determine whether it 
can access , any required memory locations 4 in re- 
sponse to its current privilege level, and then deter- 
mines whether it is in a privilogo level which allows It 
to process the instruction. 
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Background of the Invention 

1 . Field of the Invention 

Thft invfintinn mlatna QftnftraHy to trm field nf 
digital data processing (computer) systems, and 
more specifically to computer systems which op- 
erate in a virtual mode to provide one or more 
virtual mochjnoo end which hove moro than two 
protection rings arranged In a hierarchy and regu- 
lating access to locations in memory and the ex- 
ecutability of certain instructions. It is desirable to 
nave me computerpreserve the most privileged 
protection ring tor the real mode to allow an orderly 
transition and allocation of resources of the com- 
puter system among users In the virtual mode, By 
means of the invention, at least two of the protec- 
tion rings of the virtual mode are compressed, that 
. Is, they are made to correspond to a single protec- 
tion ring used bv the processor while processing in 
a real (non-virtual) mode. The compression Is such 
that at least the most privileged ring of the machine 
operating in the real mode has no corresponding 

ring In the virtual mod©. Otherwise stated, the most 
privileged ring of the processor operating in the 
virtual mode corresponds to a less than maximally 
privileged ring of the processor when it operates in 
the real mode, and two of the rings of the virtual 
mode correspond to one of the rings "of the real 
mode. Accordingly, compression allows the com- 
puter to appear to have at least as many protection 
rings in the virtual mode as Is provided in the real 
mode. 

2. Description of the Prior Art 

A digital data processing system generally in- 
cludes a processor,, a memory, and one or more 
input/output units, all of which are interconnected 
by one or more buses. The memory stores data In 
addressable storage locations. This data includes 
both operands and instructions for processing the 
operands . The processor causes data to be trans- 
ferred to, or fetched from, the memory unit, inter- 
prets the incoming data as either instructions or 
operands, and processes the operands in accor- 
dance -with the instructions. Tho results ate llitm 
stored In addressed locations in the memory. The 
input/output units also may communicate with the 
memory In order to transfer data into the system 
and to obtain processed data from it. The 
input/output units normally operate in accordance 
with control information supplied to -them by the 
processor. The input/output units may include, for 
example, printers, teletypewriters or video display 
terminals, and they also include secondary data 
storage devices such as disk drives or tape drives. 

When mmpi iter systems first heramR rnm- 



mercially available, they were substantially larger, 
more expensive, and significantly slower than 
present day systems. Typical earty systems pro- 
cessed one program at a time, from initially recelv- 

fi inrj the instructions and data, thmnph the profess- 
ing operations, and finally printing the results, be- 
fore beginning another program. 

As the cost of memory and logic circuits de- 
crocood end 03 tho logic circuits become foster, 

70 memories became larger and processing speeds 
increased. As a result, computer systems were 
developed 'In which several programs could be 
loaded into memory at one time ana processed in 
an interleaved fashion. If, for example, one program 

is needed to use a system resource, such as a slow 
input/output devicelike a printer or a disk drive, 
which was then being used for another program, 
the computer system's management programs, 
that is, the operating system, could schedule, the 

20 processing of portions of other programs until the 
device was available. When the resource became 
availiable, the operating system would then return 
to processing . the first program. This "multi-pro- 
gramming*' allowed for a more continuous uso of 

25 all of the computer resources by switching among 
programs when needed resources were not Imme- 
diately available. 

* In view of the expense of early computer sys- 
tems, many users were unable to justify the cost of 

30 an entire computer system. Computer systems 
were devised that allowed users to access them on 
a "time sharing" basis. In time sharing systems, a 
number of users could concurrently run different 
applications in a single system. The operating sys- 

36 tern kept track of the data and instructions from 
each user, scheduled the running of the applica- 
tions programs on a rotating basis, and transmitted 
the processed data to the users when the process- 
ing was completed. 

40 A problem with typical time sharing systems is 

that they generally used a single time sharing 
operating system under which all of the applica- 
tions programs wore run. Some typos of applica- 
tions programs ran better under certain operating 

45 systems than others, but the operating systems 
used in the time sharing systems did not permit 
the selection ul uther operating systems that may 
have been better for particular applications. 

Furthermore, typical time sharing systems did 

50 not allow a fairly direct access by the user to the 
system resources. For example, while a real com- 
puter system included identifiable input/output units 
such as disk drives and tape drives, printers, and 
so forth, and virtual' or relocatable memories inciud- 

55 ing identifiable pages and/or segments, these fea- 
tures were hidden from the user by the operating 
system. The user was not able to access a particu- 
lar Innatinn nn a disk or a particular location in 
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memory in a time sharing system. 

' To enable users to select among various op- 
erating systems, and to process as though they 
had direct access to system resources, virtual ma- 
chine architectures were developed in which a vir- 
tual machine monitor essentially multiplexed sys- 
tem resources among a number of users. The 
virtual machine monitor, a program, provided each 

user with a virtual machine which appeared to tho 
user to have the resources equivalent to an entire 
computer system. Such virtual machines may have 
corresponded to, or have had, the resources of the 
computer system, a subset ot the resources or tne 
computer system or additional resources that were 
not physically present in the computer system, and 
they may have been architecturally quite different 
from the computer system providing the virtual 
machines. Indeed, the virtual machines may have 
had different instruction sets from the instruction 
sets of the actual computer system providing the 
virtual machines. The computer system itself, in- 
, eluding the virtual machine monitor, was termed a 
"real" machine, or a machine operating in a "rear 

• rnodo, whoroao tho Get of resources available to the 

user was termed a "virtual" machine, or a machine 
operating in a "virtual" mode. A virtual machine 
user could directly use any of the operating system 
•and applications programs which would also run on 
a real machine and appeared to have direct access 
to the system resources that were provided to the 
virtual machine by the virtual machine monitor. 

Since computer systems may be used by 
many users at the same time, they generally in- 
clude features which provide a barrier between the 
users' applications programs and the system re- 
sources, to protect the system resources from pos- 
sible damage by the user programs. For example, 
many systems include resources such as compil- 
ers and interpreters fnr r.nnvfirtino programs written 
In high-level languages to machine code execut- 
able by the processor. It is generally undesirable to 
allow a user program to directly access memory 
locations allocated to tho compiloro or intorprotoro. 
Similarly, It is generally undesirable to allow a user 
program to directly access privileged areas of 
memory containing programs or to use "privileged" 
instructions which are be used by the operating 
system to manage the computer system's re- 
sources. As an example, it is undesirable to allow a 
user program to halt the processor, and so any 
such instruction is privileged. That is, the Instruc- 
tion may only be in an operating system program 
with the processor operating in a privileged operat- 
ing mode. 

Accordingly, computer systems have been pro- 
vided with "protection rings" having a hierarchy of 
protection levels which shield programs which con- 
trol system resources from other programs, such 



as user programs, and which allow access to those 
programs only in a controlled manner. Some com- 
puter systems, such as those sold by International 
Business Machines Corporation (IBM), have two 
s protection rings implemented as a supervisor mode 
and a problem mode. The problem mode allows 
execution of applications programs, and the su- 
pervisor mode allows execution of all other types of 

programs. 

10 Other computer systems, such as the VAX-1 1 
family of systems sold by the assignee of the 
present Invention, have more protection rings pro- 
viding various protection levels, in tne aforemen- 
tioned VAX-1 1 family, four protection rings are pro- 

75 vided, called the the kernel, executive, supervisor, 
and user operating modes, in order of decreasing 
privilege. The input/output functions and transfers 
to and from memory are performed in the kernel 
mode, which is the only mode in which privileged 

20 instructions can be executed. Various system re- 
sources such as the compilers and interpreters, 
and some programs which control video display 
terminals may be handled in programs executed in 
the executive and supervisor modes, and the ap- 

25 plications programs are processed in the user 
mode. 

The VAX-1 1 systems use the operating modes 
in' two ways. First, K a . program instruction is a 
privileged instruction, the processor determines if It 

30 is then operating in a mode, generally required to 
be the kernel mode, in which it can execute the 
instruction before it actually executes the instruc- 
tion, tf it is in the required operating mode, it 
executes the instruction, and otherwise traps to. an 

35 exception routine. 

The other way In which it uses the operating 
modes is to check whether the current program 
can read from and/or write to, that is, access, a 
location in. memory. Each location in memory, or 

40 more specifically each page, since the VAX-1 1 has 
a paged virtual memory, is accessible only when 
the processor is in a predetermined operating 
mode. Furthermore, each page may be accessible 
In a particular way; for example, a page may be 

45 read by programs in particular operating modes but 
not written, or it may be read and/or written by 
programs In various combinations of operating 
modes. For example, when the processor is pro- 
cessing programs in another mode than kernel 

so mode, it may not be able to access portions of 
memory reserved to programs which operate in 
kernel mode. However, in some cases, portions of 
memory which can be written by programs pro- 
cessed in the kernel operating mode may also be 

55 read but not written, or both read and written, by 
programs processed in other operating modes. 

Providing a virtual machine in a computer sys- 
tem having protection rings has proven to be riff- 
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ficuft, except in the degenerate case of two protec- 
tion rings as provided by systems sold by IBM. In 
the IBM systems, the virtual machine monitor is run 
In the supervisor mode, and all other programs, 
includino operating system programs, are run in 
the real machine's problem mode. 

However, no known computer system with 
more than two protection rings has been also pro- 
vided with a virtual mod© of operation. A number of 
techniques have been proposed for providing such 
a virtual mode, Including: 

1. Mapping the virtual rings into the same real 
tings and fuiulny all iiisliuuliuus executing In the 
most privileged ring of the virtual machine to 
trap to the virtual machine monitor. The virtual 
machine monitor would then emulate those 
instructions. This would, however, result in an 
undue expansion of the virtual machine monitor, 
as the virtual machine monitor would have to 
include emulation routines for all instructions in 
the processor's Instruction set, whether or not 
the instructions are privileged and whether or 
not the procedure used by the processor to 
ftxnnntft the instructions is altered hy the ariril- 
tlon of the virtual machine capability. Further- 
more, emulation of all of the instructions in the 
most privileged ring would result in a substantial 
reduction of the performance of the system, as 
emulation of instructions requires substantially 
more time than execution by the processor di- 
rectly. 

2. Adding a ring relocation register to the com- 
puter system to add a constant to each virtual 
ring number to obtain the corresponding ring 
number as seen ,by the computer system. How- 
ever, the virtual machine would be provided with 
fewer protection rings than the real machine, 
with the difference being determined by the 
value in the ring relocation register. This is un- 

. desirable if it is desired to allow the virtual 
machine to emulate the real machine, which 
requires the virtual machine to, have the same 
number of rings as the real machine. 

3. Mapping a virtual ring onto the next higher 
numbered real ring (that is, onto the next less 
privileged real ring) but mapping two adjacent 
virtual rings into tho samo real ring. This was 
asserted to be difficult because of the potential 
visibility of the ring, number to the program 
being processed. Another potential problem 
concerned me absolute interpretation ot the 
physical ring number in connection with certain 
instructions. For example, in the aforementioned 
VAX-11 architecture, the ring numbers are visi- 
ble in the CHAN3E MODE Instructions which 
change the current operating mode between the 
kernel, executive, supervisor and user operating 
modes. 



[See, for example, R.P. Goldberg. Archit- 
ecturalPrinciples for Virtual Computer Systems - 
(Ph.D. thesis, Harvard University, Cambridge, 
Mass., ESD-TR-73-105, HQ Electronics Systems 
6 Division. Hanscom Field. Bedford, Massachusetts, 
February 1973)] 

As has been noted, the protection rings are 
ucod to roguloto ooooco to pogoo in momory and 

io to inhibit the processor from executing certain privi- 
leged instructions unless it is In a predetermined 
operating mode. Thus, when the processor begins 
processing the Instruction, It must make two deter- 
minations. First, the processor determines that the 

15 instruction is executable in the current operating 
mode. .Second, the processor determines that the 
operands, if any, are in memory, and that they are 
. in pages that are available to the operating mode in 
which the program is running; that is, the processor 

20 determines- that a page fault or access violation will 
not occur when it attempts to retrieve the 
operands. Both of these operations are referred to 
as "probes". In the VAX-11, the access code in- 
riinating the Ratability of the pages containing the 

25 operands are provided In the page table entry 
which is used in translating virtual addresses to 
physical addresses. 

In all known processors, the processors first 
determine whether they can execute an Instruction 

30 before testing the accessibility of the operands. 
However, if the processor traps to a virtual machine 
monitor to emulate the instruction, the monitor 
must determine the accessibility of the pages con- 
taining the operands. Providing this capability in 

36 the virtual machine monitor is, however, essentially 
redundant of the same capability In the processor. 

Summary of the Invention 

40 In brief summary, the invention provides a new 

system in which the processor provides more than 
two protection rings defining a hierarchy of protec- 
tion Iev9l8 each associated with an operating mode, 
and further including a virtual machine monitor 

45 which provides virtual machines, comprising the . 
actual computer system with the processor operat- 
ing in a virtual mode, to a plurality ol usets. Twu ur 
more of the operating modes of the processor in 
the virtual mode are compressed so as to be 

so treated as a single mode in the real, or non-virtual, 
mode, such that (1) the most privileged operating 
mode in the real mode has no corresponding vir- 
tual operating mode and the most privileged op- 
erating mode in the virtual mode is less privileged 

65 than the most privileged operating mode in the real 
mode and (2) the least privileged operating mode 
of tne virtual mode is at least as privileged as the 
least privileged operating mode of the real mode. 
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In one embodiment, the most privileged and 
second most privileged virtual operating modes are 
compressed to correspond to the second most 
privileged physical operating mode. This is accom- 
plished as follows. A separatR status word is pro- 
vided for the virtual mode, and a separate stack 
pointer Is provided which is used for one of the 
compressed virtual operating modes. The virtual 
moohino monitor may omulato on inotruction, ond, 
when It probes the accessibility of a location in 
memory to programs operating in the most privi- 
leged virtual operating mode, it actually tests the 
location's accessibility to programs operating in tne 
second most privileged operating mode. To a pro- 
gram processed by the processor in the virtual 
mode, the processor appears to Include the full 
number of protection rings provided to the real 
machine. 

In another aspect of the invention, each time an 
instruction is retrieved, the processor first probes to 
determine It the operands are In memory and ac- 
cessible to the program in the current operating 
mode. If they are, the processor probes the opera- 
tion cod© to determine if the instruction can be 
executed in the current operating mode. If it can 
be. the processor retrieves the operands and ex- 
ecutes the instruction. If the processor Is operating 
in a virtual mode, and specifically in the most 
privileged operating mode thereof, it may trap to 
the virtual machine monitor to handle the instruc- 
tion. The order in which the operands and instruc- 
tions are probed allows the virtual machine monitor 
to be simplified, since It does not have to deter- 
mine whether the operands are accessible by the 
program in the current operating mode after the 
trap to the monitor. 

Brief Description of the Drawings 

This Invention is pointed out with particularity 
in the appended claims. The above and further 
advantages of this invention may be better under- 
stood by referring to the following description taken 
in conjunction with the accompanying drawings, in 
which: 

Fig. 1A illustrates, in general block diagram 
luim, a cumputer system uunsliuuleU in auuur- 
dance with the invention. 
Fig. IB illustrates the allocation of resources of 
the computer system depicted in Fig. 1A to 
three virtual computer systems; 
Fig. 2A is a diagram illustrating the various 
operating modes available on the real and virtual 
machine and the privilege relationship between 
different operating modes; 
Fig. 2B is a table Illustrating the correspondence 
between operating mode numbers and the var- 
ious operating modes dopictad In Fig. 2A; 



Figs. 2C and 2D are diagrams that are useful in 
illustrating specific computer systems for carry- 
ing out the invention; 

Rgs. 3A through 3C illustrate the registers pro- 
k vided in thR nnmpHter system depicted In Fig 

1A; 

Rg. 3D-1 and 3D-2 illustrates various fields In a 
processor status longword and a virtual machine 
processor atotua longword in the computer sys- 

io tern depicted In Fig. 1A; 

Rg. 4 is a flow diagram Illustrating the steps 
performed by the computer system depicted in 
Fig. ia in probing the operands ana operation 
codes of an Instruction to determine whether the 

is operands can be accessed and the instructions 
executed by the computer system in the various 
operating modes; 

Rgs. 5 through 9 illustrate the operations per- 
formed by the processor depicted in Fig. 1A in 
20 processing various instructions. 

Detailed Description of an Illustrative Embodi- 
ment 

25 1 . General Description 

The invention will be described In connection 
with a VAX-11 computer system sold by the as- 
signee of the present application. A prior VAX-1 1 

oo computer system, which does not include the in- 
vention, is described in the VAX-11 Architecture 
Reference Manual, Publication No. EK-VAXAR-RM- 
001, Revision 6.1, 20 May 1982, sold by the as- 
signee of this application, which is incorporated 

35 herein by reference. 

As exemplified In Rg. 1A, a computer system 
constructed in accordance with the invention com- 
prises a central processor unit 10, a memory 11, 
and one or more input/output units 12. The proces- 

40 sor 10 executes Instructions that are stored in 
addressable storage locations in the memory 11. 
The instructions identify operations that are to be 
performed on oporandc, which ore oleo ctorod in 
addressable locations in the memory. The Instruc- 

45 tions and operands are fetched by the processor 
10 as they are needed, and processed data are 
returned to the memory tor storage. 

The processor also transmits control informa- 
tion to input/output units enabling them to perform 

so selected operations, such as transmitting data to or 
retrieving data from the memory 11. Such data 
may include Instructions, operands which may be 
transmitted to the memory for later processing by 
the processor 10 or processed data which is re- 

ss trleved from the memory for storage, display or 
transmission to other systems. 

An operator's console (not shown) connected 
to the processor 10 servos as the operator's inter- 



6 



9 



EP 0 480 546 A2 



10 



face. It allows the operator to examine and deposit 
data, hart the operation of the processor, or step 
the processor through a sequence of Instructions 
and determine the responses of the processor In 
response thereto, h also enables an operator to 
Initialize the system through a bootstrap procedure, 
and perform various diagnostic tests on the entire 
data processing system. 

Tl« data processing system may include sev- 
eral types of input/output units, Including for exam- 
ple, secondary storage units such as disk drives 
13, printers 14, and communications interfaces 15 
allowing transmission of data to, or receipt of data 
from telephone lines or microwave links or the like, 
all connected to the CPU and memory through one 
or more interfaces 16. In addition, the input/output 
units 12 include one or more video display termi- 
nals 16 which are also connected to the processor 
and memory through interfaces 17 to allow the^ 
tiserR to use the system. 

The system depicted in Fig. 1A also includes a 
virtual machine monitor 20 which makes available 
the resources provided by CPU 10, memory 11, 

and tho otorago, communication and printing unite 

connected thereto, and other resources which are 
not physically present in these units but which may 
be emulated by them, to users on the various video 
display terminals 17. By means of virtual machine 
monitor 20, the system depicted in Fig. 1A appears 
to be several separate systems, termed "virtual 
machines" as depicted in Fig. 1B, which can ap- 
pear to have different resources and operating sys- 
tems. 

Fig. 1B illustrates the resources provided by 
three exemplary virtual machines which are ac- 
tually provided by the computer system of Fig. 1A. 
The virtual machines, denominated by the letters 
"A'\ "B", and "C", each includes a CPU, memory, 
and various portions of input/outputs 12 (Fig 1A). 
and each includes one or more of the video display 
terminals 17. For example, virtual machine "A" 
(Fig. 1B) includes a single video display terminal 
1 7 connoctod through on Interface 1 0A and running 
an operating system OP SYS 1. The virtual ma- 
chine "A" provides the resources of a CPU 10A, 
which may correspond to CPU 10. It also provides 
the resources of a memory UA, input/output inter- 
face 16A, a disk facility 13A, a printer facility 14A, 
and communications through a communications in- 
terface facility 15A. The memory 1 1 A may cor- 
respond to, that is, have as many locations as, 
memory 11, or It may correspond to a subset of 
memory 11 in the real machine depicted in Fig. 1A, 
or it may appear to have more locations than the 
real machine. The virtual machine monitor may 
emulate the additional memory locations by storing 
unused data on the disk drives 13 in the real 
machine. Similarly, the disk facility 13A may cor- 



respond to a disk 13 in Fig. 1A. or it may cor- 
respond to one or more sectors, tracks, or cyl- 
inders on one or more of the disks 13 in a real 
machine depicted in Fig. 1A. Similarly, the virtual 

6 machine "A" includes a printer facility 14 A. Printer 
facility 14A represents the use by the virtual ma- 
chine A of the printer 14 (Fig. 1A) by the virtual 
machine A. Similarly, the communications interface 
facility 15A repiesents the use by virtual machine A 

to ol the communications interface 15. 

The virtual machine B Includes a CPU 1 0B and 
memory 11B which communicate with two video 
display terminals 17 through an Interface 18B. The 
virtual machine B runs operating system OP SYS 

75 2, and includes two disk drive facilities and 13B, a 
printer facility 14B connected through an 
input/output interface 16A. It has no communica- 
tions interface, it will be appreciated that the sizes . 
and control requirements of the disk facilities 13B 

20 and 13A may differ, and the availability of thn 
printer facilities 14A and B to the users of the 
virtual machines may also differ. 

The virtual machine "C" includes a CPU 10C, 

momory 11C, input/output intorfooo 16C, two diok 

25 facilities 13C, a printer facility 14C, a communica- 
tions interface facility 15C and a tape facility 21 C. 
The virtual machine may emulate the tape facility 
in the real memory 11 or a real disk drive 13, for 
example. The virtual machine "C" also includes 

30 three video display terminals 17 connected to the 
CPU and memory through a VDT interface facility 
18C. The virtual machine X" runs an operating 
system OP SYS 3 which may differ from operating 
systems OP SYS 1 and 2. 

35 As will be appreciated by those skilled in the 
8rt, the CPU facilities 10A, 10B and 10C are pro- 
vided by the processor 10 (Rg. 1A) in the real 
machine, except that the CPU facilities will appear 
to be slower since the virtual systems are actually 

40 multiplexed onto the system depicted in Fig, 1A. 
The CPU facilities may have the same instruction 
set and register resources and they may process 
data in tho same manner as processor 10, as seen 
by the users, or they may be emulations of proces- 

46 sors having other instruction sets and register re- . 
sources and they may process data in a different 
manner as the processor 10. 

The memory facilities 11 A, 11 B, and 11C may 
be identical to memory 1 1 , proper subsets of mem- 

60 ory 11 or, as noted above, they may appear to 
have more locations than in the real physical mem- 
ory. Similarly, the disk facilities 13A, 13B and 13C 
may correspond to specific disks 13 in Fig. 1A, or 
they may correspond to one or more sectors. 

55 tracks, or cylinders in the physical disks 13 in the 
system depicted in Rg. 1A. Additionally, the printer 
facilities 14A, 14B and 14C may correspond to a 
real printer or to areas in the memory 11 or disks 
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13, and communications interface facilities 15A and 
15C may also correspond to certain lines of the 
communications interface 15 or to areas in disks 13 
in Rg. 1A. 

The VDT interface facilities 18A, 18B and 18C 
also correspond to the portions of the VDT inter- 
face 18 in the system of Fig. 1A for each terminal 
17. 

Tho virtual machine facilities in virtual ma- 
chines rt A", "B" and "C" are managed by virtual 
machine monitor 20. The manner in which a typical 
virtual machine monitor operates is well known by 
tnose skilled in the art. See, tor example Madnick 
and Donovan, Operating Systems (McGraw Hill, 
1974) at pages 549 et seq. 

2. Protection Rings and Operating Modes 

With reference to Fig. 2A, the computer sys- 
tem depicted in Fig. 1A has four operating modes 
forming protection rings defining a hierarchy of 
privilege levels having numerical reference iden- 
tifications as set forth in Fig. 2B. The protection 
ring c prevent programe in an outer, that ie, lose 
privileged, ring from interfering with programs or 
data in a relatively inner, that is, more privileged, 
ring. The computer system has two sets of operat- 
ing modes, one set for the virtual mode and the 
other for the real (non-virtual) mode, with the most 
privileged operating mode of the real mode also 
being used by the system when it is in the virtual 
mode. A program In, for example, the real user 
operating mode may not access locations In mem- 
ory allocated to the real supervisor, executive or 
kernel mode but it may call on programs in those 
operating modes for service to perform various 
operations for it. 

The use of protection rings, and the choice of 
assignment nf programs tn snanifin rings, is wall 
known in the art. In one specific embodiment, the 
real kernel includes programs which manage the 
system resources, including programs which man- 
ogo input/output unito 12, and voriouo ro6ourcoo of 
processor 10 and memory 11. Specifically, If a 
program Includes instructions which attempt to ac- 
cess, for example, control locations in the disk 
drives 13, prthter 14 or communications interface*. 
15, the instruction will not be executed unless the 
processor is operating in the real kernel mode. 
Similarly, certain instructions, such as HALT, which 
causes the processor 10 to halt or to stop oper- 
ations, will not be executed unless the processor is 
operating in the real kernel mode. If a program 
being executed in virtual mode includes such an 
Instruction, the virtual machine monitor will emulate 
the instruction. In the case of the HALT instruction, 
for example, the virtual machine monitor halts the 
operation of only the virtual machine whose pro- 



grams included the instruction, allowing the other 
virtual machines to continue operation. 

The programs allocated to the supervisor and 
executive of the operating system depend upon 

c engineering considerations. For example, a com- 
piler and interpreter may be in the executive ring, 
and programs which manage the display terminals 
17 may be in the supervisor ring. The user pro- 
grama may include, for example, applications pru- 

10 grams such as word processing, . accounting, or 
computer assisted design programs, or the like. 

In accordance with the invention, the virtual 
machine monitor 20 also provides virtual operating 
modes providing four protection rings, including a 

is virtual user ring, which corresponds to the real user 
ring, a virtual supervisor ring corresponding to the 
real supervisor ring, and a virtual executive and 
virtual kernel ring, both of which are compressed 
so as to correspond to the real executive ring. 

20 When the processor 10 operating in the virtual 
mode, and specifically in the virtual kernel operat- 
ing mode, attempts to execute a privileged instruc- 
tion, which can only be processed with the proces- 
eor being in tho kernel- mod o, tho prooocoor ox- 

25 ecutes the instruction using microcode or software 
routines which first .determine whether the proces- 
sor is operating in a virtual mode or a real mode, 
since the operation of the processor will vary de- 
pending on whether it is operating in a virtual or 

30 . real mode, if the routines are in software, they form 
part of the virtual machine monitor, and are used to 
emulate the instruction. Examples of the routines 
used to execute several such instructions in the 
VAX-11 architecture are presented in Figs. 5 

38 through 9, which are described below. 

In accordance with the invention, when the 
processor in the virtual mode executes a kernel 
operating mode instruction, If that instruction re- 
quires amass tn mRmnry, the processor deter- 

40. mines whether it can access the memory location 
based on the accessibility of the location to execu- 
tive operating mode. If the processor is in the 
virtue! executive operating mode, and if It executes 
an instruction which requires access to memory, 

45 the processor also determines whether It can ac- 
cess the memory location based on the accessibil- 
ity of tne location to the executive operating mooe. 
Thus, both the virtual kernel and virtual executive 
operating modes provide the same protection as 

so the real executive operating mode, and programs 
operating in the virtual kernel operating mode are 
not able to access locations in memory for the real 
kernel operating mode. 

55 3. Specific Illustrations of Systems 

Two systems for carrying out the invention will 
be described In connection with Figs. 2C and 2D. 
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With reference to Fig. 2C, a processor 150 in- 
cludes a processing circuit 151 that includes con- 
ventional data paths and control circuitry for ex- 
ecuting Instructions. The instructions and data are 
rfttriovRft from a momnry 15? hy an interface circuit 
153 in response to requests therefor from the pro- 
cessing circuit 151. 

As is conventional, the memory 152 includes a 
plurolity of addressable storage locations (not 
shown) In which data and instructions are stored. 
Associated with each location is a privilege level 
storage register, the collection of which Is indicated 
by the reference numeral 154, which may reside In 
the memory or in the processor. The privilege level 
storage register stores the privilege level required 
to read or read/write the location. In the system 
depicted in Fig. 2C, the privilege level storage 
registers are depicted as residing in the processor 
150. 

When the Interface circuit reads the contents 
of. or writes data to, a location in memory 152, it 
also transmits the ADRS address signals, which 
identify the location in memory 152 being read or 

written, to the privilege registers 154. The contents 

of the register associated with the address are 
transmitted as PRIV LVL privilege level signals to 
one input terminal of a comparator 155. 

The processor t50 also includes an operating 
mode register 156, which indicates the operating 
mode In which the processor is operating, and a 
virtual mode register 157, which indicates whether 
the processor is operating in a virtual or real, that 
is, non-virtual, mode. The contents of the operating 
mode register are transmitted as OP MODE operat- 
ing mode signals to a compression circuit 160 and 
.to one Input terminal of a multiplexer 161. The 
other input terminal of the multiplexer is connected 
to the output terminal of the compression circuit 
160 to receive COMP MOD compressed mode 
signals therefrom. 

The COMP MOD compressed mode signals 
from the compression circuit 160 are used by the 
proooccor 150 when it ic in tho virtual modo to 
determine whether the processor can access the 
addressed location in memory 152. If the processor 
is in virtual mode, the contents of the virtual mode 
royistwr enables multiplexer 161 to uuupte the 
COMP MOD compressed mode signals as SEL 
MOD selected mode signals to comparator 155. 
However, if the processor is not in virtual mode, the 
contents of the virtual mode register enables the 
multiplexer 161 to couple the uncompressed OP 
MOD operating mode signals as the SEL MOD 
selected mode signals to comparator 155. 

The comparator 155 also receives the PRIV 
LVL privilege level signals from the privilege regis- 
ters 154 and asserts a COMP OK comparison 
Ratlsfartfory filQnal If tho SFI MOD signal indicates 



that the processor has the required operating mode 
level to access the addressed location. If the 
COMP OK signal is asserted, the processing circuit 
151 is enabled to execute the Instruction; otherwise 
the processing circuit is inhibited from executing 
the instruction. 

The compression circuit 160 generates the 
COMP MOD compressed mode signals in accor- 
dance with o compression function T" which maps 

w the elements of a set A = (0, 1,...,N), which repre- 
sent the privilege levels of the processor operating 
in a virtual mode, onto a set B = (0, 1.....N), which 
represent the privilege levels which will be en- 
forced by the processor, with "N" being greater 

is than or equal to B 2 K (that is, there are at least three 
privilege levels). In both sets, the successive ele- 
ments represent the levels of decreasing privilege, 
as depicted in Fig. 2B. In accordance with the 
invention, the (unction n F" may be any function 

20 which satisfies the followino conditions: 

I. F (0) is greater than "0", and 

II. if T and V are elements of set "A" such 
that V is greate^ than, or equal to "J", then F (i) 
is greater than or*equal to F (j). 

25 In the embodiment of the Invention described 

above in connection with Figs. 2A and 2B, the 
following compression function is used: 

i. F (0) = 1,and 

ii. if V is greater than "0* and less than or 
30 equal to "N", then F (i) = i. 

Thus, if the processor in virtual mode and kernel 
operating mode (which has privilege level "0", as 
shown in Fig. 2B) desires to access a location in 
memory, the location must be accessible to pro- 
as grams operating in executive mode (which has 
privilege level "1 "). H the processor In virtual mode 
and in excutlve, supervisor or user operating 
modes (which have privilege levels "1 "2" and 
"3", respectively) desires tn anoRss a Incntinn in 
40 memory, the location must be accessible to pro- 
grams operating in the executive, supervisor and 
user modes, respectively. 

Ao io opparont to thooo 3killed in the art, the 
privilege registers 154 may reside in memory in- 
45 stead of the processor, and the interface circuit 153 
may retrieve the contents of the register associated 
with the location to be retrieved prior to the re- 
trieval of the location. This may be particularly 
useful in connection with systems in which the 
50 memory is a virtual memory, as the privilege regis- 
ters may form part of the virtual address to phys- 
ical address translation system. 

As an alternative to the system depicted in Fig. 
2C, the system could store in the privilege regis- 
55 ters 154 the compressed privilege level to which 
the associated locations will be accessible. If this. is 
done, the compression operation need not be per- 
formed for every memory access. This alternative 
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will be described in connection with Fig. 2D, In 
connection with a demand-paged virtual memory, 
using the VAX-1 1 architecture as an example. 

The VAX-1 1 architecture described In the 
aforementioned VAX-1 1 Architecture Reference 
Manual has a demand-paged virtual memory, in 
which program references to memory locations, 
that is, virtual addresses, identify locations in a 
virtual memory space, and the VAX-1 1 computer 
system translates those addresses to physical ad- 
dresses which identity actual locations in the phys- 
ical memory in which the desired data is stored. 
Tho virtual momory space is divided into pages of 
a predetermined number ol byte locations, in one 
embodiment five hundred and twelve byte loca- 
tions, and the physical memory is divided into 
Clocks ot a like number ot locations. When a pro- 
gram requires access to one such location in the 
virtual memory space, the computer system re- 
ferences a page table which has a plurality of 
entries, that is, "PTEs", Each PTE contains a page 
frame number which is used to identify the blocks 
in physical memory in which the referenced page 
of the virtual memory space is located. Each entry 
also has an A/R access rights field which identifies 
the operating modes which have access to the 
locations within the block and how those locations 
may be accessed, that is, whether programs in the 
operating modes may read or write the locations 
therein. Each entry also has a V valid field which 
indicates that the entry is a valid entry and may be 
used for translation, and an M modify field which, 
when in a predetermined condition, indicates that a 
location in the block has been modified by a write 
operation to the memory. The page tables are 
established in a known manner by memory man- 
agement programs in the computer's operating 
system. 

.. With reference to Rg. 2D, when the computer 
system is in a virtual mode, the operating system, 
for example, OP SYS 1. OP SYS 2 and OP SYS 3 
shown in Fig. 1B, generates virtual mode page 
tRhlns as dflRnrihftd ahovo whir.h am used to trans- 
late between virtual memory spaces of programs 
being run thereunder and a virtual mode physical 
address space. It will be appreciated that the virtual 
modo physical address space is not the physical 
address space ol the computer system, but instead 
is en emulation of a physical address space pro- 
duced by the virtual machine monitor. As has been 
noted above, me virtual mode physical address 
space may correspond to the computer system's 
physical address space, or to a subset of the 
computer system's physical address space, or to 
an address space larger than the computer sys- 
tem's real physical address space. 

The virtual machine monitor also generates and 
uses a VMM Physical Address Map which includes 



VMM MEs virtual machine monitor map entries. 
The virtual machine monitor establishes a physical 
address map for each virtual machine it operates. 
The VMM map entries are generally similar to the 

5 entries in the page tables generated by the operat- 
ing system. As shown in Rg. 2D, each VMM PTE 
includes an A/R access rights field and a PFN 
page frame number field. The access rights fieldjn 
the map entries indicate only whether the virtual 

w machine may read or read/write the indicated block 
in memory. The virtual machine monitor uses the 
VMM map entries in translating the addresses in 
Lhe virtual muUe physical aUUrwss space to ad- 
dresses in the real physical address space. 

15 Thus, if the processor requires access to a 
location in page X of the VM virtual address space, 
it first retrieves the page table entry for the page 
from the VM page table (PTE: PG X). If the valid 
field V indicates that the page is in memory, and 

20 the access rights field indicates that the processor 
is in an operating mode In which the requested 
read or write operation may be performed, the 
processor uses the page frame number (PFN) to 
obtain the address in th« VM "physioR!" address 

25 space of the block in memory, block A, which Is 
currently assigned the data for page X of the VM 
virtual address space. 

The processor then determines the address of 
the corresponding location in the real physical 

30 memory. First, it retrieves the map entry for block 
A in the VM physical address space from the VMM 
physical address map (ME: BLK A). If the access 
rights field indicates that the requested read or 
write operation may be performed, the processor 

35 uses the page frame number to obtain the address 
in the real physical memory of the block in mem- 
ory. Block Q which actually stores the data for 
page X of the VM virtual address space. 

The virtual machine monitor also has a virtual 

40 address space, and the processor makes use of a 
VMM page table to translate addresses in the VMM 
virtual address space to the addresses in the real 
physical memory. The VMM page table entries 
(VMM PTEs) are similar to the VM PTEs, and 

45 include a V valid field, A/R access rights field, M 
modify field, and PFN page frame number field, all 
of which are used in the same way as the cor- 
responding fields of the VM PTEs. The result of the 
translation of an address in, for example, page Y of 

so the VMM virtual address space, using the VMM 
page table entry corresponding thereto (VMM PTE: 
PG Y) is an address in Block R of the real physical 
memory. 

As is conventional, the computer system, spe- 
65 cifically the virtual machine monitor, after establish- 
ing a VMM physical address map, establishes a 
shadow page table, or a composite ot a VM page 
table generated by the operating system running 



10 



17 EP 0 480 546 A2 18 



on the computer system, and the VMM physical 
address map. The shadow page table allows a 
direct translation between the virtual mode virtual 
address space and the real physical address 
space, thereby reducing the number of translations 
required between a program reference to memory 
and the actual memory access. The shadow page 
table includes page table entries having fields with 
idontiool mooningo a© tho VM and VMM pago 

tables. 

In accordance with the invention, when the 
virtual machine monitor generates a shadow page 
table, It uses the same compression function de- 
scribed above In connection with Fig. 2C to deter- 
mine the contents of the A/R access rights fields in 
the SPT PTEs. Specifically, for the specific em- 
bodiment noted In connection with Fig. 2C, if the 
contents of the A/R access lights field in the VM 
Page Table indicates that the block in the VM 
physical address space is readable or read/writable 
by programs in the user, supervisor or executive 
operating modes, and if the VMM MEs indicate that 
the block in real physical memory is readable or 

raart/wrltahln hy the virtual machine, the A/R ac- 
cess rights field in the SPT PTEs also Indicate that 
the corresponding blocks in the real physical ad- 
dress space are available to programs in the user, 
supervisor or executive operating modes. However, 
if the contents of the A/R access rights field in the 
VM Page Table indicate that the block is available 
to programs in the kernel operating mode, since 
the computer system Is in virtual mode, the PTE 
indicates that the corresponding block in the real 
physical address space Is available to programs in 
the executive operating mode. Thus, the locations 
in memory associated with the kernel operating 
mode of the processor when operating In the virtual 
mode are available to programs operating in the 
executive operating mode. 

It will be appreciated by those skilled in the art 
that the VMM address translation allows data to be 
shared as between several virtual machines in a 
controlled manner. For example, several VMM MEs 
relating to different virtual machines , may identify 
the same block In the real physical address space 
and thereby allow contemporaneous access to pro- 
grams running under both virtual machines. The 
access rights to the block of programs running 
under the different virtual machines may, however, 
differ. For example, programs running under one 
virtual machine may be able to both read and write 
locations In a block, while programs running under 
another virtual machine may only be able to read 
the locations. In addition, a block may be available 
to programs under one operating system which 
operate in the supervisor and more privileged op- 
erating modes, and not available to the user op- 
erating mode, and the same block may also be 



available to user operating mode programs running 
under another operating system. Thus, the access 
to shared data may be regulated by the virtual 
machine monitor. 

s It will further he appreciated that similar com- 

pression functions may be used if it is desired to 
allow the virtual machines to have more or fewer 
rings than the real machines. Specifically, if the 
virtual mochino io to havo moro rlngo then tho real 

io machine, any compression function F may be used 

to map the set A = (0, t N) of privilege levels in 

the virtual machine into a set B = (0. 1 M) of 

privilege levels in the real machine, with me suc- 
cessive elements of the sets corresponding to suc- 

is cessively less privileged rings, N greater than M 
and M greater than *T\ as long as the function 
satisfies the following relationships: 
i. F (0) is greater than W (T; 
li. F (N) is less than or equal to M; and 

20 HI if V and "I" are elements of set "A" such 
that V is greater than or equal to T, then F (I) 
Is greater than or equal to F G). 
Since the number of protection rings in the virtual 
mode (specifically, the number of rings is "N + 1 "), 

25 is greater than the number of rings in the real 
mode ( n M + 1 rt ), to satisfy these conditions the 
compression function must compress at least two 
of the virtual rings to correspond to a signal real 
ring. 

30 Similarly, If the virtual machine is to have fewer 

rings than the real machine, that is, N is less than 
M and M greater than "1 the function must satisfy 
the following relationships: 
i. F (0) is greater than "0"; 
35 H. if V is greater than or equal to "j", then F (i) 
is greater than or equal to F (j); 
ill. for at least one V and "j", V not equal to 
"j", F (i) is equal to F (j): end 
iv. if n i° and V are elements of set "A" such 
40 that V Is greater than or equal to "j", then F (i) 
is greater than or equal to F (j). 
Since- the number of protection rings in the virtual 
mode (specifically, the number of rings le "N + 1 w ), 
is less than the number of rings In the real mode 
45 ("M + 1"), the last condition (iv) must be observed 
to achieve compression. 

It will further U? appreciated by those familiar 
with the VAX-11 architecture as set forth in the 
aforementioned VAX-1 1 Architecture Reference 
so Manual that the VAX-11 virtual memory space is 
divided into a plurality of regions, including system 
space and two per-process spaces, and that the 
translation arrangement described in connection 
with Rg. 2D relates to the translation for system 
65 space. The translation for the per-process spaces 
is analogous. 

4. Register Sets 



11 



19 



EP 0 480 546 A2 



20 



Figs. 3A through 3C depict the registers in- 
cluded in processor 10 used in the processing of 
programs. Fig. 3A depicts the registers used by 
processor 10 in processing programs in either the 
real mode or the virtual mode. These registers 
include general purpose registers RO through R13, 
a stack pointer register R14, a program counter 
R15, a user stack pointer register 50, a supervisor 
otook pointer rogictor 61, and an oxocutivo ctaok 
pointer register 52. The registers RO through R13 
can be used as pointers, arithmetic accumulators* 
or for any other general purpose function. The 
stacK pointer register RI4 contains the stack point- 
er currently being used. Program counter register 
R15 identifies the location in memory 11 of the 
next instruction to be processed by the processor. 
The user, supervisor, and executive stack pointer 
registers 50 through 52 Identify the locations in 
memory of the stacks for the respective modes, 
except when the processor Is in the corresponding 
operating mode. At that time, the operating mode 
stack Is identified by the contents of stack pointer 
register R14, which are obtained from the cor- 
responding operating mode stack pointer register 
when the processor changes operating modes. 

Fig.' 3B depicts additional registers used by 
processor 10 In the real operating mode. These 
registers include a kernel stack pointer 53, an 
asynchronous system trap (AST) level register 54, 
an Interrupt stack pointer register 55, an interrupt 
summary register 50, an interrupt request register 
57, and a processor status longword register 60. 
The kernel stack pointer register 53 is similar in 
function to the user, supervisor, and executive 
stack pointer registers 50 through 52. 

The AST level register 54 Identifies the most 
privileged level operating mode for which an asyn- 
chronous system trap is pending. For example, If 
an asynchronous system trap is pending for a 
program operating in the real supervisor level, and 
H the processor 1 0 is operating in the kernel mode, 
it Is undesirable to service the trap until the proces- 
sor returns to at least the supervisor mode. When 
the processor changes modes, it can check the 
contents of the AST level register 54 to determine 
whether a trap is pending at the new or a more 
privileged operating mode and trap at that Ume. 

The interrupt stack pointer register 55 is used 
to Identify the location in memory of the Interrupt 
stack, which is typically transferred to stack pointer 
register R14 when the processor 10 begins servic- 
ing an interrupt. When the processor finishes ser- 
vicing an interrupt, the contents of the stack pointer 
register R14 are transferred to the interrupt stack 
pointer register 55 after the registers have been 
restored in a conventional manner. 

The interrupt summary register 56 is used in 
connection with interrupt requests. Processor 10 



has a plurality of interrupt priority levels, and the 
interrupt summary register identifies the interrupt 
priority levels at which interrupts are pending. 
The interrupt request register 57 may be used 

fi by the executing program to request interrupt ser- 
vice. The data written-- to the register specifies the 
interrupt priority level of the requested interrupt. 
The priority level loaded into register 57 is then 
roflootod in interrupt oummary rogiotor 66. 

w The processor status longword 60, which will 
be described below in connection with Figure 3D-1 , 
contains status information in connection with the 
currently executing program. 

To enable the processor 10 to operate in a 

is virtual mode, the processor also includes a plurality 
of registers, termed herein virtual registers, de- 
picted in Fig. 3C. When the processor is operating 
in a virtual mode, ft uses the registers depicted in 
Fig. 3A and the registers depicted in Fig. 3C. The 

20 virtual registers include a VM (virtual machine) ker- 
nel stack pointer register 61, a VM AST level 
register 62, a VM interrupt stack pointer register 
63, a VM interrupt summary register 64, a VM 
interrupt request register 65, and a VM process 

25 status^ longword register 66. Each of the virtual 
registers depicted in Rg. 3C corresponds to a 
register in the real register set depicted in Fig. 3B, 
and the processor uses the registers 61 though 66 
in the same way that it uses registers 53 through 

30 57 and 60 when in the real mode. 

With reference again to stack pointer register 
P14, mode stack pointer registers 50 through 53, 
and 61 and interrupt stack pointer registers 55 and 
63, the mode and interrupt stack pointer registers 

36 are used when the processor changes operating 
modes, as explained below in connection with Figs. 
8A-1 and 8A-2, and, in the case of the interrupt 
stack pointer register, when the processor begins 
processing an interrupt or returns therefrom. In 

ao brief, when the processor begins processing an 
interrupt, it typically transfers the contents of the 
stack pointer register R14 to the mode stack point- 
er register 50 through 53 or 61 corresponding to 
the current operating mode. The contents of the 

45 interrupt stack pointer register 55 or, if the proces- 
sor is in the virtual mode, the VM interrupt stack 
pointer register 63, aie transferred lo stack puinler 
register R14, and the contents of selected registers 
are transferred to the interrupt stack in memory 

so identified by the contents of the stack pointer regis- 
ter. When the processor returns from an interrupt, 
the sequence for which is contained in Figs. 7A-1 
through 7E, the process is essentially reversed. 
The contents of processor status longword 60 

56 and VM processor status longword 66 in the pro- 
cessor 10 constructed In accordance with the in- 
vention will be described in connection with Figs. 
3D-1 and 3D-2. It will be appreciated that the 
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processor has separate processor status longwords " 
60 and 66 for the virtual and real modes, both of 
which have many of the same fields. Both proces- 
sor status longwords include a plurality of fields 70 
through 77 and 70A through 77A which identify 
various conditions concerning the results of the 
previous arithmetic calculations, and which enable 
the processor to perform various exception or trap 

operations in response thereto. The fields are not 

relevant to the instant invention and will not be 
described further herein. 

Both the processor status longwords 60 and 66 
ttlsu lnuluUw IPL luleiiupl prluilly Iwvwl Ileitis 80 taiU 
80A which identify the interrupt priority level at 
which the processor is operating. The processor 
can use the contents of this field and the contents 
of the real or virtual interrupt summary registers 56 
and 64 to determine whether an interrupt is pend- 
ing at a higher priority level than the current op- 
erating level as contained in the IPL interrupt prior- 
ity level fields 80 and 80A, and, if so, process the 
Interrupt request. 

Current mode fields 81 and 81 A and previous 
mnrifl fields R2 and A2A identify respentively, the 
current operating mode and previous operating 
mode (see Rg. 2B), and specifically contains the 
code depicted in Fig. 2B which identifies either the 
kernel, executive, supervisor or user operating 
mode. These fields do not indicate whether the 
processor is in the virtual, or real (non-virtual) 
mode. 

A VM virtual mode field 84, contained only in 
the processor status longword 60, when set, in- 
dicates that the processor is currently operating in 
a virtual mode, thereby enabling the processor to 
use registers 61 through 66. When field 84 Is clear, 
the processor is operating in a real (non-virtual) 
mode, using registers 53 through 57 and 60. 

An IS interrupt stack field 83 or 83A Indicates 
that the processor Is operating on Its Interrupt 
stack; that is, the contents of the stack pointer 
register R14 are derived from the contents of one 
of the Interrupt stack pointer 55 or VM Interrupt 
stack pointer 63, depending on the state of VM 
field 84 in processor status longword 60. Since the 
contents of stack pointer register R14 may have 
boon changod If tho contonts of tho othor registers 
have been transferred to the interrupt stack, the 
contents of the register R14 may not be exactly the. 
, same as the contents of register 55 or 63. 

As will oe. appreciated by those skilled in the 
art, a virtual machine, that is, a computer system 
(Fig. 1A) whose processor is operating in a virtual 
mode, may Itself be running a virtual machine 
monitor providing a second level of virtualization. If 
that occurs, a further set of registers similar to 
register 61 through 66 typically are provided. Any 
of these additional registers may be physically 



located in either the processor 10 or in the memory 
11 (Rg. 1A). The VM processor status longword 66 
does not require a VM field corresponding to field 
84 In processor status longword 60 to accomplish 

5 this second level of virtualization. 

It will also be appreciated that additional virtual 
stack pointer registers may have to be provided for 
various virtual operating modes if the protection 
rings are compressed drfforontly than tho opooifio 

w embodiment disclosed herein. As is discussed 
above in connection with Rgs. 2C and 2D, the 
compression function used with a specific system 
may result In compression of different virtual mode 
operating modes than the kernel and executive into 

75 a single real mode operating mode. If, for example, 
the virtual mode executive and supervisor operat- 
ing modes are compressed into the real mode 
supervisor operating mode, and the virtual mode 
kernel operating mode corresponds to the real 

20 mode executive operating mode, the virtual ma- 
chine may use the executive stack pointer register 
also used by the real machine, and an additional 
register must be provided for the virtual mode 
executive npnratlno mode Similarly, if the virtual 

25 mode kernel, executive and supervisor operating 
modes are all compressed, with the virtual mode 
user operating mode, to correspond to the real 
mode user operating mode, additional stack pointer 
registers must be provided for the virtual mode 

30 kernel, executive and supervisor operating modes. 

5. Probing Operands And Instructions 

As has been noted, certain instructions are 
35 privileged, that is, they are only executed by the 
processor 10 (Rg. 1A) when it is in the kernel 
operating mode (Fig. 2A). in addition, it is desirable 
to prevent the processor 10 from accessing data 
stored in memory 1 1 that is for programs in more 
40 privileged operating modes when the processor is 
operating In a less privileged operating mode. 

Accordingly, prior to retrieving any operands 
and executing any instructions, the CPU performs a 
PROBE operation on the operands and the opera- 
45. tion code of each instruction before executing the 
instruction. 

With rotorenco to Rg. 4, when the CPU 10 
retrieves an instruction, which includes the opera- 
tion code (op code) and operand specifiers (step 

so 100), it first probes the memory locations contain- 
ing the operands, which are Identified by the 
operand specifiers in the Instruction, to determine 
whether they are accessible by the program with 
the processor in Its current operating mode (step 

55 101). If they are not accessible, an error has oc- 
curred. ^ 

However, if the operands' are accessible to the 
program at. the current operating mod© (step 101), 
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the processor then determines whether the opera- 
tion required by the instruction is privileged, that Is, 
whether the instruction is a privileged instruction 
executable in kernel mode only (step 102). If the 
instruction is not privileged , the processor retrieves 
the operands and executes the instruction (step 
103). 

If, however, in step 102 the processor deter- 
mined thot tho inotruotion woo prlvilogod, tho pro 
cessor sequences to step 104 to test the current 
mode field 81 in the processor status longword. if 
the processor Is operating in a virtual mode, it tests 
the current mode field In me VM processor status 
longword 66, and otherwise tests the corresponding 
field in the processor status longword register 60. If 
the processor is not in the kernel operating mode 
(step 104) it signals an error. 

However, if, in step 104, the processor did 
determine that it was in the kernel operating mode, 
it tests the VM virtual mode field 84 of the proces- 
sor status longword register 60 to determine wheth- 
er the processor is operating in a virtual mode 
(step 105). If the processor is operating in a virtual 
mod*, the processor may execute the instruction 
directly or the virtual machine monitor may emulate 
the instruction (step 106). If the processor is not 
operating in a virtual mode, the processor executes 
the Instruction directly (step 107). The steps per- 
formed by the virtual machine monitor to emulate 
Instructions are conventional and will not be de- 
scribed in detail herein. 

Since the processor, when it retrieves an in- 
struction, first probes the operand prior to deter- 
mine whether the instruction is privileged, it can 
trap to the virtual machine monitor, in the event 
that the instruction requires emulation, and the vir- 
tual machine monitor will not itself then have to 
probe the operands to determine whether they are 
accessible by the program. This has several bene- 
fits, Including simplification of the virtual machine 
monitor, since It does not have to include routines 
for performing the operation, and reduction of the 
likelihood of an error having to be taken in the 
virtual machine monitor in the event that a page Is 
not present in memory. If the operand probe opera- 
tion detects that a page containing the operands is 
nut in iiibinuiy, Ui» piuueasui lakes » page fault In 
the instant invention, this occurs before the proces- 
sor traps to the virtual machine monitor for emula- 
tion of the instruction. 

6. Privileged Instruction Execution 

Figs. 5 through 9 contain flow diagrams which 
Illustrate the operations of processor 10 in execut- 
ing some of the VAX-1 1 privileged instructions. The 
instructions, and others forming the VAX-1 1 in- 
struction srI, are riosnribRd in the aforementioned 



VAX-1 1 Architecture Reference Manual, for a pro- 
cessor which does not have a virtual mode. The 
figures detail the operations of the processor 10 
which has both a real (non-virtual) and virtual 
s mode. 

As noted above, the privileged instructions may 
be emulated when the processor is operating in the 
virtual mode or they may be executed by the 
procoooor dirootly in roaponso to microcode or 
10 similar control mechanisms in the processor. In one 
embodiment of the invention in which microcode is 
used to control the internal operations of the pro- 
cessor in executing instructions, me instructions 
are embodied in microcode to the extent of micro- 
is code control store in pre-existing processors con- 
structed in accordance with the VAX-1 1 architec- 
ture, and instructions not so embodied are emu- 
lated by the virtual machine monitor. Alternatively, 
a microcoded processor may embody all of the 
20 instructions in microcode and execute them di- 
rectly, or all of the instructions may be emulated 
by the virtual machine monitor, depending on the 
size of the microcode control store in the proces- 
sor. In a processor controlled by combinatorial log- 
25. ic, the logic may also control the operation of the 
processor in processing the privileged instruction, 
or the instructions may be emulated by the virtual 
machine monitor. The detailed operations per- 
formed by the processor 10 in both the virtual and 
30 real modes are contained in the flow diagrams In 
Rgs. 5 through 9, and will not be repeated here in 
detail. However, brief comments on the steps used 
in processing of the instructions will be presented 
below. 

35 

HALT Instruction 

The HALT instruction is used to stop the pro- 
cessor. When the processor receives the HALT 

40 instruction in connection with a program in a virtual 
machine, if the. virtual machine Is in the kernel 
mode, the instruction halts that virtual machine, and 
not the processor as a whole. Thereafter, the pro- 
cessor 10 can continue executing in a real mode or 

45 as any other virtual machines which may be run- 
ning in a virtual mode. 

MOVE PROCESSOR STATUS LONGWORD to 
(Destination) 

• 50 

The Instruction MOVE PROCESSOR STATUS 
LONGWORD to a selected destination, the destina- 
tion being identified by the operand specifier which 
accompanies the instruction, is detailed in Fig. 6. In 
65 response to the instruction, the processor must 
determine If it is operating in a virtual mode to 
determine whether the contents of the processor 
status longword in register fin (Fig. 3B) or th« 
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contents of the VM processor status longword 66 
(Fig. 3C) should be moved. 

RETURN FROM EXCEPTION OR INTERRUPT 

in processing the RETURN FROM EXCEP- 
TION OR INTERRUPT instruction, depicted in Figs. 
7A-1 through 7E, the processor 10 first tests the 
virtual modo fiold 84 of tho ourront prooeoeor eta- 

tus longword, that Is, the contents of processor 
status longword 60 used when the processor is 
servicing the interrupt or exception, and the pro- 
cessor status longwurd reUleveU from the stack In 
response to this instruction. 

Depending on the status of the VM fields 84 in 
the two processor status longwords, the processor 
may be 

(1) returning from interrupt or exception or ex- 
ception service in a real mode to processing in 
a real mode, if the VM fields of both the current 
and the retrieved processor status longwords 
are clear; 

(2) returning from interrupt or exception or ex- 
ception service in a rftfll rondo to processing in 
a virtual mode, tf the VM field of the current 
processor status longword is clear, and the VM 
field of the retrieved processor status longword 
Is set; 

(3) returning from interrupt or exception or ex- 
ception service in a virtual mode to processing 
in a virtual mode, if the VM field of the current 
processor status longword is set and the VM 
field of the retrieved processor status longword 
is clear; and 

(4) returning from interrupt or exception or ex- 
ception service in a virtual mode to processing 
in a second level of virtuallzation, if the VM 
fields of both the current and retrieved proces- 
sor status longwords are set. 

If the VM field 84 of neither processor status 
longword is set, that is, if the processor was not 
operating in a virtual mode (that is, it was operating 
in a real mode) when it was servicing the interrupt 
or exception, and it is returning in a real mode, the 
processor returns In a conventional manner. 

If the interrupt or exception was serviced by 
the processor in a real mode, but tho processor Is 
returning In a virtual mode (Fig. 7A-2) (case 2) the 
contents of the VM processor status longword 66 
and the retrieved processor status longword are 
compared to ensure that they correspond, that is, 
the fields of the processor status longword re- 
trieved from the stack are compared to correspond- 
ing fields of the VM processor status longword 
register to ensure that the retrieved processor sta- 
tus longword is a "safe equivalent" of the VM 
processor status longword. To form a "safe equiv- 
alent" processor status longword the arithmetic 



fields 70 through 76 and the trace flag 77 should 
be the same as the retrieved processor status 
longword, the interrupt or exception priority level 
field 80 and interrupt or exception stack field 83 

6 should both be clear and the previous and current 
operating mode fields 81 and 82, should also be 
the same as the retrieved processor status long- 
word, except that if either indicate the kernel op- 
orating modo, it chould bo modified to indiooto tho 

w executive operating mode. The VM (virtual mode) 
field 84 of the retrieved processor status longword 
should also be set. After verifying the retrieved 
pioueasur status lungword, the processor continues 
returning In a conventional manner. 

15 If the interrupt or exception was processed in a 

virtual mode, but the processor status longword 
retrieved from the stack indicates that the proces- 
sor is returning in a real mode (case 3), the re- 
trieved processor status longword is stored in the 

20 VM processor status longword register 66, and a 
new "safe equivalent" processor status longword is 
formed therefrom for storage In processor status 
longword register 60. The sequence of forming the 
orw processor status longword for register 60 is 

>6 set forth in Fig. 7D. After verifying the retrieved 
processor status longword, the processor continues 
returning in a conventional manner. 

Finally, if the VM fields of both the current and 
the retrieved processor status longwords are set 

30 (case 4). the processor traps to the virtual machine 
monitor. 

CHANGE OPERATING MODE instruction 

36 The change operating mode instruction depict- 

ed in Figs. 8A-1 and 8A-2 is provided to allow the 
program to change operating modes as between 
the kernel, executive, supervisor and user from a 
less-privileged operating mode to a more privileged 

40 operating mode (Fig. 2B). In doing so, the proces- 
sor first determines the new mode, then saves the 
contents of the stack pointer register R14 in the 
current mode stack pointer, loads into the stack 
pointer register R14 the contents of the new 

45 mode's stack pointer and stores the contents of 
selected registers and the operand of the instruc- 
tion onto tho stack identified by tho now stack 
pointer. For example, if the processor is changing 
from the user operating mode to the supervisor 

so operating mode, the contents of the stack pointer 
register H14 are' transferred to the user stack point- 
er register 50, and are replaced by the contents of 
the supervisor stack pointer register 51 . 

If the change mode is to or from the kernel 

65 operating mode, the processor tests the contents of 
the VM field 84 of the processor status longword to 
determine which of the kernel stack pointer register 
53 or the VM kernel stack pointer register 61 is 
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used in processing the instruction. 

The processor then tests the accessibility of 
the memory location identified by the new contents 
of the stack pointer register in the new operating 
mode. However, if the new operating mode is the s 
kernel operating mode, and if the processor is 
operating in a virtual mode, the location must be 
accessible by the executive mode. Thus, with refer- 

onoo to Fig. 2A, If tho proooooor io in o virtual 
mode, and the current operating mode Is the ker- to 
nel, locations in memory must be accessible by the 
processor when operating at the real executive 
mode, Thus the virtual executive and virtual kernel 
operating modes are compressed Into the real ex- 
ecutive mode as depicted in Fig. 2A. is 

Probe Accessibility of Memory Location 

The PROBE instruction, depicted in Rg. 9, 
checks the read or write accessibility of one or so 
several locations in memory specified as the 
operands of the instruction. 

Other Instructions 

25 

The sequences of operations to execute other 
privileged instructions, including a LOAD PRO- 
CESS CONTEXT instruction, a SAVE PROCESS 
CONTEXT instruction and MOVE TO and MOVE 
FROM processor register instructions are also 30 
modified from the sequences depicted in the VAX- 
1 1 Architecture Reference Manual to accommodate 
the virtual mode. All of these Instructions move the 
contents of certain processor registers to memory, 
or the contents of certain memory locations to 35 
Identified registers. For the LOAD PROCESS CON- 
TEXT and MOVE TO PROCESSOR REGISTER 
instructions, the modifications ensure that, the re- 
trieved data are. loaded, in the correct set of regis- 

' ters, and for the SAVE PROCESS CONTEXT and 40 
MOVE FROM PROCESSOR REGISTER instruc- 
tions, the data are moved from the correct regis- 

. ters. 

The foregoing description has been limited to a 
specific embodiment of this invention. It will be 45 
apparent, however, that the invention can be prac- 
ticed in computer systems having diverse basic 
construction than is disclosed in this specification 
with the attainment of some or all of the advan- 
tages of the invention. Therefore, it is the object of 50 
the appended claims to cover all such variations 
and modifications as come within the true spirit and 
scope of the invention. 

Claims 55 

1. A processor for use in a computer system, 
said computer system comprising (a) a CPU 



which operates in a real mode or a virtual 
mode, said CPU having in both real and virtual 
modes a set of operating modes forming pro- 
tection rings defining a hierarchy of privilege 
levels, said protection rings preventino pro- 
cesses in an outer, less privileged, ring from 
interfering with processes in a relatively inner, 
more privileged, ring; (b) a virtual machine 

monitor oyotom (WM); (c) momory moono in 
eluding several types of I/O units and memory, 
said memory including a plurality of addres- 
sable storage locations for storing instructions 
requiring access to the memory locations, said 
memory means further including plural groups 
of memory locations, wherein the number of 
memory locations in each memory group may 
vary, each memory group having an asso- 
ciated privilege means for identifying the pro- 
tection ring operating modes in which said 
processor can access any memory location in 
the group; (d) means connected to said CPU 
and said memory means for iteratively retriev- 
ing instructions from said memory means; (e) 
virtual mode indicating means for indicating 
whether or not said CPU is operating in virtual 
mode; (f) operating mode indicating means for 
identifying the privilege level of the current, 
protection ring operating mode of said CPU; 
and (g) means tor enabling access to said 
memory means depending on information from 
said virtual mode indicating means, from said 
operating mode Indicating means; said proces- 
sor comprising: 

(A) processing means for processing In- 
struction in "N" protection ring operating 
modes each associated with one of a hierar- 
chy of privilege levels, where "N" is at least 
three; 

(B) inhibiting means connected to said pro- 
cessing means for inhibiting said processing 
means from executing at least some of the 
instructions unless the processor is in an 
operating mode having a selected privilege 
level; 

(C) operand probing means, including: 

i. operand privilege retrieval means con- 
nected lo saiJ insliucliuii reliiaviiiy 
means and responsive to the retrieval of 
an instruction for obtaining the privilege 
means associated with a memory loca- 
tion identified by an operand specifier; 

ii. operand privilege comparison means 
connected, to said operating mode in- 
dicating means and said operand privi- 
lege retrieval means for determining it 
the privilege level of the current operat- 
ing mode is at least as high as the privi- 
lege level obtained by said operand privi- 
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lege retrieval means; and 
(D) Instruction probe means connected to 
. said operand probe means, . said operating 
mode indicating means, said instruction re- 
trioval moans, and said inhibiting moans r 
8nd responsive to a successful determina- 
tion by said operand privilege comparison 
means for enabling said inhibiting means to 
inhibit oxocution of o retrieved inotruction by 

said processing means If said operating 10 
mode indicating means does not Identify a . 
mode having the required privilege level for 
me instruction. 

A processor for use In a computer system, 75 
said processor including processing means for 
processing instructions in at least three protec- 
tion ring operating modes each associated with 
one of a hierarchy of privilege levels, the com- 
puter system further including a memory in- 20 
eluding a plurality of addressable storage loca- 
tions for storing instructions requiring access 
to memory locations and including operation 

code moans Identifying the operation to be 
performed, each memory location having an 25 
associated privilege means for identifying the 
protection ring operating modes in which the 
processor can access the memory location, 
said processor further including: 

a. means for iteratively retrieving instruc- 30 
tions from the memory; 

b. operating mode indicating means for 
identifying the privilege level of the current 
operating mode of said processor; 

c. virtual mode indicating means having a 36 
set condition when said processor is operat- 
ing in a virtual mode and otherwise having a 
clear condition; and 

d. probe means connected to said process- 
ing means, said Instruction retrieval means, 40 
said operating mode indicating means, said 
virtual mode indicating means and for con- 
nection to tho momory for comparing tho 
contents of the operating mode indicating 
means to a less privileged operating mode 45 
level If the indicating means has a set con- 
dition and the operating mode Indicating 
means Identifies the most privileged operat- 
ing mode, and for comparing the contents 

of the operating mode indicating means to so 
at least the least privileged operating mode 
level if the indicating means has a set con- 
dition and the operating mode indicating 
means identifies a less privileged operating 
mode to determine whether the processor 65 
can access the required memory locations 
for enabling said processing means to ex- 
ocuto tho Instruction in rospnnso to a suc- 



cessful comparison. 

3. A processor for use in a computer system, 
said processor including processing means for 
pronossing instructions in at loast throo nrntoo- 
tion ring operating modes each associated with 
one of a hierarchy of privilege levels, each 
memory location having an associated privi- 
lege meane for identifying the protection 
modes in which the processor can access the 
memory location, said processor further Includ- 
ing virtual machine monitor means for estab- 
lishing the protection means ring operating 
mode in said privilege means including means 
for determining the privilege level to be as- 
signed to the -contents of each said memory 
location and means for enabling the privilege 
means to identify the second most privileged 
operating mode level if the contents of the 
memorv location is to have assigned thereto 
the most privileged operating mode, and other- 
wise establishing the privilege means to Iden- 
tify the operating mode level to be assigned 

thereto. 

• t "■ 

4. A processor as defined in claim 11 further 
including virtual machine monitor means for 
determining the privilege level to be assigned 
to the contents of each memory location and 
means for enabling the privilege means to 
identify a lower privileged operating mode lev- 
el if the contents of the memory location is to 
have assigned thereto the most privileged op- 
eration mode, and otherwise establishing the 
privilege means to identify the operating mode 
level to be assigned thereto. 
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FIG. 7A-6 
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